Tag: Social Networking

A Million Imgur Users Affected By Breach

Do you use the image hosting service, Imgur? If you do, there’s a slight chance that you’ll be prompted to change your password the next time you log on. That’s because the company’s servers were breached in 2014, and the hackers made off with 1.7 million usernames and passwords, which represents just a tiny fraction of the company’s 150 million users.

Although the breach happened a few years ago, the company only found out about it on Thanksgiving Day of this year. Their response was immediate and decisive. The company called people in over the holiday and notified their impacted users just 25 hours and 10 minutes after discovering the details of the incident.

Contrast that to Uber’s handling of their most recent hack. They kept their impacted users in the dark for more than a year, and worse, paid the hackers $100,000 to keep the incident quiet. It’s easy to see why security professionals around the world have lauded Imgur for their handling of the hack.

Three key things to note in relation to the breach:

  • Not much information was stolen during the hack because Imgur doesn’t ask its users for much in the way of personal information in the first place. However, if you use your Imgur password on other systems, you could be at additional risk.
  • At the time of the breach, Imgur was using SHA-256 encryption, which is fairly robust and impractical for most hackers to crack due to the amount of computational power required.
  • In 2015, the company switched to an even more secure algorithm, Bcrypt, so if the company is breached again in the future, it’ll be even harder for the hackers to glean anything useful from any data stolen.

All that to say, if you’re looking for a benchmark to compare yourself to if you’re ever hacked, Imgur’s example would be an excellent one to follow.

Watch Out For New Facebook “Trusted Friend” Scam

If you can’t trust your friends, who can you trust?

No one, apparently.

There’s a new scam on Facebook that’s making waves, and it’s one you should be mindful of. You may get an “urgent message” from someone you know, asking for your help in recovering their Facebook account.

This is a tried and true phishing scam, relying on some basic psychology. After all, if you get an earnest sounding message from someone you know explaining that you’re listed as one of their “Trusted Friends” and as such, uniquely positioned to help verify their identity so they can get access to their account back, who wouldn’t instinctively respond? This is exactly what the scammers are hoping for.

The message goes on to explain that they’re sending an unlock code to your email address, and they just want you to reset the password for them.

Unfortunately, the unlock code is nothing of the sort. Instead, it triggers a password reset for your own account. If you click the link and “reset your friend’s password,” then reply back, helpfully telling him or her what the new password is, you’ve inadvertently given your own login information to the hackers. From there, the sky’s the limit.

What makes this latest scam particularly problematic is that so many other web properties allow you to use your Facebook login details to access them, which is a roundabout way of saying that you’re using the same login credentials across multiple websites – one of the most basic and pervasive problems of user security in existence.

There’s no real defense for this other than vigilance, and if you see a message like this, simply ignore it. If your “trusted friend” genuinely needs help regaining control of their account, Facebook has resources to assist.

New Facebook Messenger App For Kids Raises Privacy Questions

On the surface, the new Facebook For Kids messenger app looks like a solid win that should put the minds of parents all over the world at ease.

The company conducted extensive interviews and assembled a Blue-Ribbon panel of experts to help them craft the new tool, aimed at children ages 6-12. The app itself is user friendly and filled with bright, cheerful primary colors that appeal to kids, but there are problems, or, at the very least, valid concerns.

For one thing, Facebook has made no mention of how it plans to monetize its new app, other than to say that it won’t contain any advertising. It’s not difficult to imagine some possibilities, however and none of them good.

For another, the company essentially used scare tactics to get parents to sign their kids up for the service, saying essentially that kids are going to chat online anyway, and if they don’t use Facebook’s new offering, they are at greater risk of talking to a child predator.

Then, there’s the issue that Facebook requires the child’s full name, and behind the scenes, the app is busily mapping out the child’s social network – who his parents are, the friends of both the children and their parents and so on.

According to the company, it has no plans to turn children’s accounts into full-fledged Facebook profiles, but given the amount of data being collected, it’s not hard to imagine them offering a one-click export function that would turn these accounts into regular Facebook accounts on the day the child turns 13.

What’s most disheartening of all is the fact that the company could have chosen another, far less intrusive route. Rather than requiring the child’s full name and the establishment of a familial relationship, the app could have been nested directly under the parent’s account, with a nickname or even a colorful symbol used to denote the child. This approach would have been far less data intensive and far less intrusive.

How well the new app will be received remains to be seen, much like the long-term consequences of its launch.

Facebook Has A Major Problem With Fake Accounts

Facebook has been in hot water with evidence mounting that hordes of fake accounts were used to spread misinformation about the recent presidential election.

In addition to sparking congressional hearings, it also prompted Facebook and the other major social media companies to do a deep dive into their own active accounts and get a better sense of just how large and pervasive the problem was.

According to Facebook’s most recent quarterly earnings report, the problem turned out to be a fair bit larger than was first imagined. The company changed their methodology for tracking and identifying fake accounts, which has led to the grim discovery that some 13 percent of the company’s accounts are duplicates, a figure that doesn’t take into account the more than 60 million outright bogus accounts.

According to Facebook’s founder and CEO, Mark Zuckerberg, from in the earnings report: “We’re serious about preventing abuse on our platforms. We’re investing so much in security that it will impact our profitability. Protecting our community is more important than maximizing our profits.”

The problem is going to wind up costing Facebook in a number of ways. First and most obvious, of course, is the unwanted attention caused by the congressional hearings themselves, and the loss of trust it creates in the platform.

More immediately, there’s also the factor addressed directly by Zuckerberg in his statement. The company is spending a ton of money on improving security and rooting out and shutting down duplicate and fake accounts. As he indicated, it’s having an impact on their profitability.

It’s also impacting the company’s ability to generate ad revenue, which, of course, is based on the number of actual users the company can claim are viewing ads. With more than a quarter of a billion duplicate and fake accounts in the system, the network is simply less attractive to advertisers.

There are no simple solutions here, but kudos to Facebook for making significant investments to rein the problem in.

A Million Imgur Users Affected By Breach

<img class=”alignleft size-medium wp-image-7149″ src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/AXMillion-300×195.jpg” alt=”” width=”300″ height=”195″ />Do you use the image hosting service, Imgur? If you do, there’s a slight chance that you’ll be prompted to change your password the next time you log on. That’s because the company’s servers were breached in 2014, and the hackers made off with 1.7 million usernames and passwords, which represents just a tiny fraction of the company’s 150 million users.

Although the breach happened a few years ago, the company only found out about it on Thanksgiving Day of this year. Their response was immediate and decisive. The company called people in over the holiday and notified their impacted users just 25 hours and 10 minutes after discovering the details of the incident.

Contrast that to Uber’s handling of their most recent hack. They kept their impacted users in the dark for more than a year, and worse, paid the hackers $100,000 to keep the incident quiet. It’s easy to see why security professionals around the world have lauded Imgur for their handling of the hack.

Three key things to note in relation to the breach:
<ul>
<li>Not much information was stolen during the hack because Imgur doesn’t ask its users for much in the way of personal information in the first place. However, if you use your Imgur password on other systems, you could be at additional risk.</li>
<li>At the time of the breach, Imgur was using SHA-256 encryption, which is fairly robust and impractical for most hackers to crack due to the amount of computational power required.</li>
<li>In 2015, the company switched to an even more secure algorithm, Bcrypt, so if the company is breached again in the future, it’ll be even harder for the hackers to glean anything useful from any data stolen.</li>
</ul>
All that to say, if you’re looking for a benchmark to compare yourself to if you’re ever hacked, Imgur’s example would be an excellent one to follow.

Virus Spread Through Facebook Messenger Mines For Cryptocurrency

Facebook scams are fairly common occurrences, owing to the sheer size of the platform’s user base. It’s no surprise that there’s a new one making the rounds that you should be aware of.

This latest threat was discovered by researchers at Trend Micro, and makes use of Facebook Messenger. If you get a message containing an embedded video file saved as a zip (the file name usually appears as “video_xxxx.zip”), don’t click on it, even if it’s from someone you know.

This file is a modified form of a legitimate piece of software called “XMRig”, an open source project that allows users to mine the cryptocurrency called Monero.

When the user clicks on this poisoned version, it will direct them to a website controlled by the hackers, in addition to quietly installing the corrupted software in the background. Once installed, the hackers put the infected PC’s processor to work for them, creating a distributed network of hash power to solve advanced cryptographic puzzles and generate new Monero “coins” for themselves.

The hackers have gone to some lengths to mask their true intentions. The site appears to be a video streaming service, and users who click on the embedded file will actually see a video playing. Of course, the website is also part of the C&C structure.

There are several intriguing things to note about this new threat:

  • It only affects people who use the Google Chrome web browser
  • It only affects PCs and Laptops. Smartphones are not impacted in any way
  • The miner software is actually controlled via the C&C server, meaning that the hackers can upgrade their malware, adding new functionality in the blink of an eye

So far, the virus has been spreading mostly in south east Asia, but has also begun appearing in the Ukraine and Venezuela. Given the global nature of Facebook’s user base, this is wholly unsurprising, so be on the lookout for it. Don’t click embedded files in Messenger, even if you think you know the sender.

Vertical Video Support On YouTube For iOS Finally Here

The owners of Android devices have been able to properly view vertical videos for more than two years, but for Apple users, it was a different story.

Instead of getting the traditional full-screen experience when viewing vertical videos, Apple users were saddled with annoying vertical bars that would appear on either side of the video itself. It’s a small thing, but undeniably annoying. Now, at long last, the problem has been solved and now Apple users can enjoy the same vertical, full-screen experience as the rest of us.

YouTube announced the upgrade in a tweet that read as follows:

“Bye-bye, black bars. Now the YouTube player on iOS will automatically adapt to the shape of the video you’re viewing!”

It matters because smartphones were designed to be held in that position, so it’s the natural way to interact with the device, no matter what you’re doing with it, including watching videos.

There’s one caveat, however: A surprising number of vertical videos won’t go full screen because they’ve actually been encoded with black bars on the sides, which technically makes them landscape vids that are only mimicking the appearance of a vertical video.

Now that YouTube has made this change, over time, you’ll probably see fewer and fewer videos shot like this and uploaded. In the short to medium term, don’t be the least bit surprised if you run into videos shot like this on a regular basis.

Why it took the company so long to update the Apple version of their app with this functionality, no one knows, but it’s not hard to hazard a few guesses. In any event, it’s not something that’s likely to have a major impact on your life, but it is a welcome change and we were happy to see it.

Facebook Post Removals May Soon Get An Appeals Process

There are some big changes coming to Facebook, which may have some serious unintended consequences.

In a recent interview, Mark Zuckerberg indicated that he’s considering allowing users to independently appeal to the content moderation team if their posts get taken down for violating various community policies.

On the surface of it, this seems like it would be a good thing. Zuckerberg said that the move is designed to give people in the Facebook communities what they want, rather than reflecting short-term, profit-driven wishes of the shareholders.

It’s a significant change because as of right now, Facebook only allows for appeals if content was removed for violation of copyright laws. In addition, the appeal must be made via a DMCA (Digital Millennium Copyright Act) notification, which makes it a somewhat daunting process.

Zuckerberg describes the new approach as follows: “So maybe the folks at Facebook make the first decision based on the community standards that are outlined, and then people can get a second opinion.  You can imagine some sort of structure, almost like a Supreme Court, that is made up of independent folks who don’t work for Facebook, who ultimately make the final judgement call on what should be acceptable speech in a community that reflects the social norms and values of people all around the world….I think we can build that internally as a first step.”

All of that looks good on paper, but there are some major problems with this approach.

First,  the company will struggle to find enough volunteers to monitor content and appeals to keep pace with demand.  Given the size of Facebook’s footprint on the web, that’s a very real concern. The new, easier appeal policy is certain to cause the number of appeals to explode.

Second, if not done with great care and forethought, it could further polarize the platform. It could lead to the development of more estranged “information silos,” which runs counter to what the company ultimately wants its global network to be.  In addition to that, it could easily lead to a massive backlash against the company.

Time will tell, but the coming months should be interesting indeed.

Facebook Users Should Assume Their Public Has Been Scraped

First it was 55 million.  Then 77 million.  Now, it’s 2.2 billion, or pretty much every user on Facebook.  That’s how many people should assume that their public profile information has been scraped.

The conversation began when it came to light that Cambridge Analytica (a political research firm) had misused Facebook’s search function to scrap profile data for tens of millions of Facebook’s users to help the Trump campaign win the recent presidential election.

As research into the matter has continued. However, it has become clear that Cambridge Analytica wasn’t the only group misusing the search feature, and that before Facebook disabled it, more than two billion of Facebook’s users had seen their public profile information scraped.

Essentially, Facebook was used to paint a more complete picture of users to build a profile which could be sold on the Dark Web.

Starting with stolen phone numbers or addresses, hackers developed automated routines that fed this information into Facebook’s search function, enabling them to link these bits of information with the names and locations of specific people.  Having a more complete profile in hand made the data that much more valuable on the Dark Web, where it is currently being resold.

At 2.2 billion impacted users, it’s certain that this will be the year’s largest data breach. In fact, this one is likely to hold the world record for quite some time.

Facebook’s CEO, Mark Zuckerberg issued an apology to the company’s massive user base.

Mike Schroepfer, the company’s Chief Technology Officer, had this to say:

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them.  This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name.  However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery…we believe most people on Facebook could have had their public profile scraped in this way.”

Some Private Posts On Facebook May Have Been Exposed

<img class=”alignnone size-full wp-image-8011 alignleft” src=”https://www.securepc-wi.com/wp-content/uploads/2018/07/facebook-post-resized.jpg” alt=”” width=”300″ height=”225″ />Facebook is in hot water again.  Recently, the company admitted that while testing a new feature on the site, they inadvertently made public the posts of more than fourteen million users.  The incident occurred between May 18th and May 22nd and occurred when Facebook was testing a new “Featured Posts” enhancement.

The goal was that users could selectively make posts visible to everyone.  Unfortunately, the error created a situation where any posts users in the test group made were automatically shared to everyone.  The company found and corrected the mistake on May 27th, but during the intervening span of days, any posts those users made were set to global visibility.  Facebook is currently in the process of contacting the impacted users and asking them to review any posts they made during the impact period.

Chief Privacy Officer Erin Egan had this to say: “To be clear, this bug did not impact anything people had posted before – and they could still choose their audience just as they always have.  We’d like to apologize for this mistake.”

Unfortunately, this is not the first time in the recent past that Facebook has gotten into hot water over the mishandling of user data.  Earlier this year, Facebook CEO Mark Zuckerberg had to testify before Congress when it came to light that the company acknowledged they had improperly shared private information pertaining to tens of millions of its users with Cambridge Analytica, which used the information in an attempt to influence the most recent presidential election.

Even if you’re not a member of the test group, if you use Facebook and made any posts between May 18th and May 27th when the company fixed the bug, it pays to review your posts just to make sure that their visibility has been properly set.